cosmos-sdk/docs/architecture/adr-006-secret-store-replac...

# ADR 006: Secret Store Replacement

## Changelog

* July 29th, 2019: Initial draft
* September 11th, 2019: Work has started
* November 4th: Cosmos SDK changes merged in
* November 18th: Gaia changes merged in

## Context

Currently, a Cosmos SDK application's CLI directory stores key material and metadata in a plain text database in the user’s home directory.  Key material is encrypted by a passphrase, protected by bcrypt hashing algorithm. Metadata (e.g. addresses, public keys, key storage details) is available in plain text.

This is not desirable for a number of reasons. Perhaps the biggest reason is insufficient security protection of key material and metadata. Leaking the plain text allows an attacker to surveil what keys a given computer controls via a number of techniques, like compromised dependencies without any privilege execution. This could be followed by a more targeted attack on a particular user/computer.

All modern desktop computers OS (Ubuntu, Debian, MacOS, Windows) provide a built-in secret store that is designed to allow applications to store information that is isolated from all other applications and requires passphrase entry to access the data.

We are seeking solution that provides a common abstraction layer to the many different backends and reasonable fallback for minimal platforms that don’t provide a native secret store.

## Decision

We recommend replacing the current Keybase backend based on LevelDB with [Keyring](https://github.com/99designs/keyring) by 99 designs. This application is designed to provide a common abstraction and uniform interface between many secret stores and is used by AWS Vault application by 99-designs application.

This appears to fulfill the requirement of protecting both key material and metadata from rouge software on a user’s machine.

## Status

Accepted

## Consequences

### Positive

Increased safety for users.

### Negative

Users must manually migrate.

Testing against all supported backends is difficult.

Running tests locally on a Mac require numerous repetitive password entries.

### Neutral

{neutral consequences}

## References

* #4754 Switch secret store to the keyring secret store (original PR by @poldsam) [__CLOSED__]
* #5029 Add support for github.com/99designs/keyring-backed keybases [__MERGED__]
* #5097 Add keys migrate command [__MERGED__]
* #5180 Drop on-disk keybase in favor of keyring [_PENDING_REVIEW_]
* cosmos/gaia#164 Drop on-disk keybase in favor of keyring (gaia's changes) [_PENDING_REVIEW_]
-												Merge PR #4942: ADR 010: Modular AnteHandler


											
										
										
											2019-08-28 08:36:44 -07:00
+								# ADR 006: Secret Store Replacement
-												Merge PR #4813: ADR-006 Secret Store


											
										
										
											2019-08-15 08:02:36 -07:00
 								## Changelog
-												docs: Improve markdownlint configuration (#11104)

## Description

Closes: #9404



---

### Author Checklist

*All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.*

I have...

- [x] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] added `!` to the type prefix if API or client breaking change
- [x] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting))
- [x] provided a link to the relevant issue or specification
- [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules)
- [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing)
- [ ] added a changelog entry to `CHANGELOG.md`
- [ ] included comments for [documenting Go code](https://blog.golang.org/godoc)
- [ ] updated the relevant documentation or specification
- [x] reviewed "Files changed" and left comments if necessary
- [x] confirmed all CI checks have passed

### Reviewers Checklist

*All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.*

I have...

- [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] confirmed `!` in the type prefix if API or client breaking change
- [ ] confirmed all author checklist items have been addressed 
- [ ] reviewed state machine logic
- [ ] reviewed API design and naming
- [ ] reviewed documentation is accurate
- [ ] reviewed tests and test coverage
- [ ] manually tested (if applicable)
											
										
										
											2022-02-10 04:07:01 -08:00
+								* July 29th, 2019: Initial draft
 								* September 11th, 2019: Work has started
 								* November 4th: Cosmos SDK changes merged in
 								* November 18th: Gaia changes merged in
-												Merge PR #4813: ADR-006 Secret Store


											
										
										
											2019-08-15 08:02:36 -07:00
 								## Context
-												docs: 10180 Fix SDK (#10237)

* docs: Fix Cosmos-sdk references in md files

* Fix SDK to Cosmos SDK in all found places and adjust grammar in turn

* Add changelog entry

* Update docs/core/context.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/architecture/adr-010-modular-antehandler.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/basics/README.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/architecture/adr-040-storage-and-smt-state-commitments.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/building-modules/intro.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/building-modules/intro.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/core/baseapp.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/building-modules/intro.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* Update docs/basics/accounts.md

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>

* docs 10180 fix 'an Cosmos SDK' where used

Co-authored-by: Barrie Byron <barrie.byron@tendermint.com>
Co-authored-by: Amaury <1293565+amaurym@users.noreply.github.com>
Co-authored-by: Robert Zaremba <robert@zaremba.ch>
											
										
										
											2021-09-28 10:33:58 -07:00
+								Currently, a Cosmos SDK application's CLI directory stores key material and metadata in a plain text database in the user’s home directory.  Key material is encrypted by a passphrase, protected by bcrypt hashing algorithm. Metadata (e.g. addresses, public keys, key storage details) is available in plain text.
-												Merge PR #4813: ADR-006 Secret Store


											
										
										
											2019-08-15 08:02:36 -07:00
 								This is not desirable for a number of reasons. Perhaps the biggest reason is insufficient security protection of key material and metadata. Leaking the plain text allows an attacker to surveil what keys a given computer controls via a number of techniques, like compromised dependencies without any privilege execution. This could be followed by a more targeted attack on a particular user/computer.
-												chore: add markdownlint to lint commands (#9353)

* add markdownlint config

* update make lint commands

* update markdownlint config

* run make lint-fix

* fix empty link

* resuse docker container

* run lint-fix

* do not echo commands

Co-authored-by: ryanchrypto <12519942+ryanchrypto@users.noreply.github.com>
											
										
										
											2021-05-27 08:31:04 -07:00
+								All modern desktop computers OS (Ubuntu, Debian, MacOS, Windows) provide a built-in secret store that is designed to allow applications to store information that is isolated from all other applications and requires passphrase entry to access the data.
-												Merge PR #4813: ADR-006 Secret Store


											
										
										
											2019-08-15 08:02:36 -07:00
 								We are seeking solution that provides a common abstraction layer to the many different backends and reasonable fallback for minimal platforms that don’t provide a native secret store.
 								## Decision
 								We recommend replacing the current Keybase backend based on LevelDB with [Keyring](https://github.com/99designs/keyring) by 99 designs. This application is designed to provide a common abstraction and uniform interface between many secret stores and is used by AWS Vault application by 99-designs application.
 								This appears to fulfill the requirement of protecting both key material and metadata from rouge software on a user’s machine.
 								## Status
-												Update ADR 006 (#5326)


											
										
										
											2019-11-19 01:51:39 -08:00
+								Accepted
-												Merge PR #4813: ADR-006 Secret Store


											
										
										
											2019-08-15 08:02:36 -07:00
 								## Consequences
 								### Positive
 								Increased safety for users.
 								### Negative
 								Users must manually migrate.
 								Testing against all supported backends is difficult.
 								Running tests locally on a Mac require numerous repetitive password entries.
 								### Neutral
 								{neutral consequences}
 								## References
-												docs: Improve markdownlint configuration (#11104)

## Description

Closes: #9404



---

### Author Checklist

*All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.*

I have...

- [x] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] added `!` to the type prefix if API or client breaking change
- [x] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting))
- [x] provided a link to the relevant issue or specification
- [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules)
- [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing)
- [ ] added a changelog entry to `CHANGELOG.md`
- [ ] included comments for [documenting Go code](https://blog.golang.org/godoc)
- [ ] updated the relevant documentation or specification
- [x] reviewed "Files changed" and left comments if necessary
- [x] confirmed all CI checks have passed

### Reviewers Checklist

*All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.*

I have...

- [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title
- [ ] confirmed `!` in the type prefix if API or client breaking change
- [ ] confirmed all author checklist items have been addressed 
- [ ] reviewed state machine logic
- [ ] reviewed API design and naming
- [ ] reviewed documentation is accurate
- [ ] reviewed tests and test coverage
- [ ] manually tested (if applicable)
											
										
										
											2022-02-10 04:07:01 -08:00
+								* #4754 Switch secret store to the keyring secret store (original PR by @poldsam) [__CLOSED__]
 								* #5029 Add support for github.com/99designs/keyring-backed keybases [__MERGED__]
 								* #5097 Add keys migrate command [__MERGED__]
 								* #5180 Drop on-disk keybase in favor of keyring [_PENDING_REVIEW_]
 								* cosmos/gaia#164 Drop on-disk keybase in favor of keyring (gaia's changes) [_PENDING_REVIEW_]